Merge pull request #140 from marshmellow42/iclass

iClass major updates
2025-08-20 21:33:19 -07:00 · 2015-10-13 09:39:04 +02:00 · 2015-10-13 09:39:04 +02:00 · be6250d31b
commit be6250d31b
parent 8c6b22980c f1f1aceaba
21 changed files with 1603 additions and 483 deletions
--- a/client/cmdhf.c
+++ b/client/cmdhf.c
@ -557,16 +557,16 @@ int CmdHFSearch(const char *Cmd){
 		PrintAndLog("\nValid ISO14443A Tag Found - Quiting Search\n");
 		return ans;
 	}
-	ans = HF14BInfo(false);
-	if (ans) {
-		PrintAndLog("\nValid ISO14443B Tag Found - Quiting Search\n");
-		return ans;
-	}
 	ans = HFiClassReader("", false, false);
 	if (ans) {
 		PrintAndLog("\nValid iClass Tag (or PicoPass Tag) Found - Quiting Search\n");
 		return ans;
 	}
+	ans = HF14BInfo(false);
+	if (ans) {
+		PrintAndLog("\nValid ISO14443B Tag Found - Quiting Search\n");
+		return ans;
+	}
 	ans = HF15Reader("", false);
 	if (ans) {
 		PrintAndLog("\nValid ISO15693 Tag Found - Quiting Search\n");
--- a/client/cmdhficlass.c
+++ b/client/cmdhficlass.c
--- a/client/cmdhficlass.h
+++ b/client/cmdhficlass.h
@ -14,11 +14,26 @@

 int CmdHFiClass(const char *Cmd);

-int CmdHFiClassSnoop(const char *Cmd);
-int CmdHFiClassSim(const char *Cmd);
+int CmdHFiClassCalcNewKey(const char *Cmd);
+int CmdHFiClassCloneTag(const char *Cmd);
+int CmdHFiClassDecrypt(const char *Cmd);
+int CmdHFiClassEncryptBlk(const char *Cmd);
+int CmdHFiClassELoad(const char *Cmd);
 int CmdHFiClassList(const char *Cmd);
 int HFiClassReader(const char *Cmd, bool loop, bool verbose);
 int CmdHFiClassReader(const char *Cmd);
+int CmdHFiClassReader_Dump(const char *Cmd);
 int CmdHFiClassReader_Replay(const char *Cmd);
-
+int CmdHFiClassReadKeyFile(const char *filename);
+int CmdHFiClassReadTagFile(const char *Cmd);
+int CmdHFiClass_ReadBlock(const char *Cmd);
+int CmdHFiClass_TestMac(const char *Cmd);
+int CmdHFiClassManageKeys(const char *Cmd);
+int CmdHFiClass_loclass(const char *Cmd);
+int CmdHFiClassSnoop(const char *Cmd);
+int CmdHFiClassSim(const char *Cmd);
+int CmdHFiClassWriteKeyFile(const char *Cmd);
+int CmdHFiClass_WriteBlock(const char *Cmd);
+void printIclassDumpContents(uint8_t *iclass_dump, uint8_t startblock, uint8_t endblock, size_t filesize);
+void HFiClassCalcDivKey(uint8_t	*CSN, uint8_t	*KEY, uint8_t *div_key, bool elite);
 #endif
--- a/client/cmdhfmf.c
+++ b/client/cmdhfmf.c
@ -1951,6 +1951,13 @@ int CmdHF14AMfSniff(const char *Cmd){
 	return 0;
 }

+//needs nt, ar, at, Data to decrypt
+int CmdDecryptTraceCmds(const char *Cmd){
+	uint8_t data[50];
+	int len = 0;
+	param_gethex_ex(Cmd,3,data,&len);
+	return tryDecryptWord(param_get32ex(Cmd,0,0,16),param_get32ex(Cmd,1,0,16),param_get32ex(Cmd,2,0,16),data,len/2);
+}

 static command_t CommandTable[] =
 {
@ -1979,6 +1986,7 @@ static command_t CommandTable[] =
  {"cgetsc",	CmdHF14AMfCGetSc,		0, "Read sector - Magic Chinese card"},
  {"cload",		CmdHF14AMfCLoad,		0, "Load dump into magic Chinese card"},
  {"csave",		CmdHF14AMfCSave,		0, "Save dump from magic Chinese card into file or emulator"},
+  {"decrypt", CmdDecryptTraceCmds,1, "[nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace"},
  {NULL, NULL, 0, NULL}
 };

--- a/client/cmdlf.c
+++ b/client/cmdlf.c
@ -1138,7 +1138,7 @@ static command_t CommandTable[] =
 	{"read",        CmdLFRead,          0, "['s' silent] Read 125/134 kHz LF ID-only tag. Do 'lf read h' for help"},
 	{"search",      CmdLFfind,          1, "[offline] ['u'] Read and Search for valid known tag (in offline mode it you can load first then search) - 'u' to search for unknown tags"},
 	{"sim",         CmdLFSim,           0, "[GAP] -- Simulate LF tag from buffer with optional GAP (in microseconds)"},
-	{"simask",      CmdLFaskSim,        0, "[clock] [invert <1|0>] [manchester/raw <'m'|'r'>] [msg separator 's'] [d <hexdata>] -- Simulate LF ASK tag from demodbuffer or input"},
+	{"simask",      CmdLFaskSim,        0, "[clock] [invert <1|0>] [biphase/manchester/raw <'b'|'m'|'r'>] [msg separator 's'] [d <hexdata>] -- Simulate LF ASK tag from demodbuffer or input"},
 	{"simfsk",      CmdLFfskSim,        0, "[c <clock>] [i] [H <fcHigh>] [L <fcLow>] [d <hexdata>] -- Simulate LF FSK tag from demodbuffer or input"},
 	{"simpsk",      CmdLFpskSim,        0, "[1|2|3] [c <clock>] [i] [r <carrier>] [d <raw hex to sim>] -- Simulate LF PSK tag from demodbuffer or input"},
 	{"simbidir",    CmdLFSimBidir,      0, "Simulate LF tag (with bidirectional data transmission between reader and tag)"},
--- a/client/cmdlft55xx.c
+++ b/client/cmdlft55xx.c
@ -37,7 +37,7 @@ int usage_t55xx_config(){
 	PrintAndLog("Options:        ");
 	PrintAndLog("       h                        This help");
 	PrintAndLog("       b <8|16|32|40|50|64|100|128>     Set bitrate");
-	PrintAndLog("       d <FSK|FSK1|FSK1a|FSK2|FSK2a|ASK|PSK1|PSK2|NZ|BI|BIa>  Set demodulation FSK / ASK / PSK / NZ / Biphase / Biphase A");
+	PrintAndLog("       d <FSK|FSK1|FSK1a|FSK2|FSK2a|ASK|PSK1|PSK2|NRZ|BI|BIa>  Set demodulation FSK / ASK / PSK / NRZ / Biphase / Biphase A");
 	PrintAndLog("       i [1]                            Invert data signal, defaults to normal");
 	PrintAndLog("       o [offset]                       Set offset, where data should start decode in bitstream");
 	PrintAndLog("");
--- a/client/hid-flasher/usb_cmd.h
+++ b/client/hid-flasher/usb_cmd.h
@ -115,9 +115,17 @@ typedef struct {
 #define CMD_WRITER_LEGIC_RF                                               0x0389
 #define CMD_EPA_PACE_COLLECT_NONCE                                        0x038A

+#define CMD_ICLASS_READCHECK                                              0x038F
+#define CMD_ICLASS_CLONE                                                  0x0390
+#define CMD_ICLASS_DUMP                                                   0x0391
 #define CMD_SNOOP_ICLASS                                                  0x0392
 #define CMD_SIMULATE_TAG_ICLASS                                           0x0393
 #define CMD_READER_ICLASS                                                 0x0394
+#define CMD_READER_ICLASS_REPLAY                                          0x0395
+#define CMD_ICLASS_READBLOCK                                              0x0396
+#define CMD_ICLASS_WRITEBLOCK                                             0x0397
+#define CMD_ICLASS_EML_MEMSET                                             0x0398
+#define CMD_ICLASS_AUTHENTICATION                                         0x0399

 // For measurements of the antenna tuning
 #define CMD_MEASURE_ANTENNA_TUNING                                        0x0400
--- a/client/loclass/cipher.c
+++ b/client/loclass/cipher.c
@ -224,23 +224,44 @@ void MAC(uint8_t* k, BitstreamIn input, BitstreamOut out)
 void doMAC(uint8_t *cc_nr_p, uint8_t *div_key_p, uint8_t mac[4])
 {
 	uint8_t cc_nr[13] = { 0 };
-    uint8_t div_key[8];
+	uint8_t div_key[8];
 	//cc_nr=(uint8_t*)malloc(length+1);

-	memcpy(cc_nr,cc_nr_p,12);
-    memcpy(div_key,div_key_p,8);
+	memcpy(cc_nr, cc_nr_p, 12);
+	memcpy(div_key, div_key_p, 8);

 	reverse_arraybytes(cc_nr,12);
-	BitstreamIn bitstream = {cc_nr,12 * 8,0};
-    uint8_t dest []= {0,0,0,0,0,0,0,0};
-    BitstreamOut out = { dest, sizeof(dest)*8, 0 };
-    MAC(div_key,bitstream, out);
-    //The output MAC must also be reversed
-    reverse_arraybytes(dest, sizeof(dest));
-    memcpy(mac, dest, 4);
+	BitstreamIn bitstream = {cc_nr, 12 * 8, 0};
+	uint8_t dest []= {0,0,0,0,0,0,0,0};
+	BitstreamOut out = { dest, sizeof(dest)*8, 0 };
+	MAC(div_key,bitstream, out);
+	//The output MAC must also be reversed
+	reverse_arraybytes(dest, sizeof(dest));
+	memcpy(mac, dest, 4);
 	//free(cc_nr);
-    return;
+	return;
 }
+void doMAC_N(uint8_t *address_data_p, uint8_t address_data_size, uint8_t *div_key_p, uint8_t mac[4])
+{
+	uint8_t *address_data;
+	uint8_t div_key[8];
+	address_data = (uint8_t*) malloc(address_data_size);
+
+	memcpy(address_data, address_data_p, address_data_size);
+	memcpy(div_key, div_key_p, 8);
+
+	reverse_arraybytes(address_data, address_data_size);
+	BitstreamIn bitstream = {address_data, address_data_size * 8, 0};
+	uint8_t dest []= {0,0,0,0,0,0,0,0};
+	BitstreamOut out = { dest, sizeof(dest)*8, 0 };
+	MAC(div_key, bitstream, out);
+	//The output MAC must also be reversed
+	reverse_arraybytes(dest, sizeof(dest));
+	memcpy(mac, dest, 4);
+	free(address_data);
+	return;
+}
+
 #ifndef ON_DEVICE
 int testMAC()
 {
--- a/client/loclass/cipher.h
+++ b/client/loclass/cipher.h
@ -42,6 +42,8 @@
 #include <stdint.h>

 void doMAC(uint8_t *cc_nr_p, uint8_t *div_key_p, uint8_t mac[4]);
+void doMAC_N(uint8_t *address_data_p,uint8_t address_data_size, uint8_t *div_key_p, uint8_t mac[4]);
+
 #ifndef ON_DEVICE
 int testMAC();
 #endif
--- a/client/lualibs/commands.lua
+++ b/client/lualibs/commands.lua
@ -88,11 +88,17 @@ local _commands = {
 	CMD_EPA_PACE_COLLECT_NONCE =                                         0x038A,
 	--//CMD_EPA_ =                                                         0x038B,

+	CMD_ICLASS_READCHECK =                                               0x038F,
+	CMD_ICLASS_CLONE =                                                   0x0390,
+	CMD_ICLASS_DUMP =                                                    0x0391,
 	CMD_SNOOP_ICLASS =                                                   0x0392,
 	CMD_SIMULATE_TAG_ICLASS =                                            0x0393,
 	CMD_READER_ICLASS =                                                  0x0394,
-	CMD_READER_ICLASS_REPLAY =											 0x0395,
-	CMD_ICLASS_ISO14443A_WRITE =										 0x0397,
+	CMD_READER_ICLASS_REPLAY =                                           0x0395,
+	CMD_ICLASS_READBLOCK =                                               0x0396,
+	CMD_ICLASS_WRITEBLOCK =                                              0x0397,
+	CMD_ICLASS_EML_MEMSET =                                              0x0398,
+	CMD_ICLASS_AUTHENTICATION =                                          0x0399,

 	--// For measurements of the antenna tuning
 	CMD_MEASURE_ANTENNA_TUNING =                                         0x0400,
--- a/client/mifarehost.c
+++ b/client/mifarehost.c
@ -619,3 +619,23 @@ int mfTraceDecode(uint8_t *data_src, int len, bool wantSaveToEmlFile) {

 	return 0;
 }
+
+int tryDecryptWord(uint32_t nt, uint32_t ar_enc, uint32_t at_enc, uint8_t *data, int len){
+	/*
+	uint32_t nt;      // tag challenge
+	uint32_t ar_enc;  // encrypted reader response
+	uint32_t at_enc;  // encrypted tag response
+	*/
+	if (traceCrypto1) {
+		crypto1_destroy(traceCrypto1);
+	}
+	ks2 = ar_enc ^ prng_successor(nt, 64);
+	ks3 = at_enc ^ prng_successor(nt, 96);
+	traceCrypto1 = lfsr_recovery64(ks2, ks3);
+
+	mf_crypto1_decrypt(traceCrypto1, data, len, 0);
+
+	PrintAndLog("Decrypted data: [%s]", sprint_hex(data,len) );
+	crypto1_destroy(traceCrypto1);
+	return 0;
+}
--- a/client/mifarehost.h
+++ b/client/mifarehost.h
@ -67,3 +67,4 @@ int isBlockEmpty(int blockN);
 int isBlockTrailer(int blockN);
 int loadTraceCard(uint8_t *tuid);
 int saveTraceCard(void);
+int tryDecryptWord(uint32_t nt, uint32_t ar_enc, uint32_t at_enc, uint8_t *data, int len);
--- a/client/util.c
+++ b/client/util.c
@ -333,7 +333,28 @@ int param_gethex(const char *line, int paramnum, uint8_t * data, int hexcnt)

 	return 0;
 }
+int param_gethex_ex(const char *line, int paramnum, uint8_t * data, int *hexcnt)
+{
+	int bg, en, temp, i;

+	//if (hexcnt % 2)
+	//	return 1;
+	
+	if (param_getptr(line, &bg, &en, paramnum)) return 1;
+
+	*hexcnt = en - bg + 1;
+	if (*hexcnt % 2) //error if not complete hex bytes
+		return 1;
+
+	for(i = 0; i < *hexcnt; i += 2) {
+		if (!(isxdigit(line[bg + i]) && isxdigit(line[bg + i + 1])) )	return 1;
+		
+		sscanf((char[]){line[bg + i], line[bg + i + 1], 0}, "%X", &temp);
+		data[i / 2] = temp & 0xff;
+	}	
+
+	return 0;
+}
 int param_getstr(const char *line, int paramnum, char * str)
 {
 	int bg, en;
--- a/client/util.h
+++ b/client/util.h
@ -55,6 +55,7 @@ uint64_t param_get64ex(const char *line, int paramnum, int deflt, int base);
 uint8_t param_getdec(const char *line, int paramnum, uint8_t *destination);
 uint8_t param_isdec(const char *line, int paramnum);
 int param_gethex(const char *line, int paramnum, uint8_t * data, int hexcnt);
+int param_gethex_ex(const char *line, int paramnum, uint8_t * data, int *hexcnt);
 int param_getstr(const char *line, int paramnum, char * str);

 int hextobinarray( char *target,  char *source);